The application basically offers a Cross-Site Request Forgery protection using the a Struts-based token called "token". While many administrative functionalities like adding new users are protected on this way, some functions are missing this token and are therefore vulnerable to CSR